← Security Audits

AI Agent Framework Scan

CrewAI Agent Security Scan

TrustableClaw scanned a CrewAI repository snapshot and found no direct RCE path in the reviewed results, but identified high-attention agent safety patterns involving RAG memory, NL2SQL database tools, and auditability.

This is public framework usage-risk research, not a claim that every CrewAI deployment is vulnerable. Risk depends on how the framework is configured, what data sources are ingested, and what tools the agent can access.

No critical RCE found

The reviewed findings did not show a direct shell execution or remote-code-execution path in the core library.

Highest severity: High

The strongest confirmed risks involve memory/RAG poisoning and database query execution in compromised prompt contexts.

Manual review applied

6,508 raw scanner findings were reduced to 3 confirmed findings after false-positive filtering.

What we scanned

Repository
crewAIInc/crewAI
Commit
d3fc0d31f8e989131c8bbb19cb1544632b745a96
Files scanned
3,320
Scan duration
92 seconds
Raw findings
6,508
Manually confirmed
3

Confirmed findings

HighConfirmed by manual review

Memory poisoning risk via unsanitized vector store writes

knowledge/storage/knowledge_storage.py:120 · adapters/crewai_rag_adapter.py:353

The scan identified ingestion paths where document content can be written to ChromaDB or Qdrant-backed knowledge storage without a built-in trust label, sanitizer, or content inspection boundary. In deployments that ingest web pages, uploaded files, email attachments, or other external content, malicious instructions can persist in retrieval memory and later re-enter prompt context.

HighConfirmed by manual review

Unsafe database access pattern through NL2SQLTool

tools/nl2sql/nl2sql_tool.py:211

The NL2SQL tool translates natural-language requests into SQL and executes the generated query against a connected database. Read-only restrictions reduce destructive risk, but unrestricted SELECT access can still expose sensitive tables, columns, schema information, or internal metadata if the agent context is compromised.

Design gapConfirmed by manual review

Auditability gap for regulated agent workflows

Framework-wide execution and state-change paths

CrewAI includes telemetry and event mechanisms, but the scan did not identify a native cryptographic, hash-chained audit trail for every delegation event, tool call, database query, and execution step. This may be acceptable for many developer use cases, but regulated deployments often need stronger proof records.

Why the findings matter together

The important risk is not one isolated function. It is the combination of persistent retrieved memory, agent delegation, and powerful tools. A deployment that lets agents ingest untrusted documents and later act through database tools needs explicit trust boundaries between retrieved content and tool execution.

A plausible deployment-risk chain is: untrusted content enters a knowledge store, the poisoned chunk is retrieved into a later task, the LLM treats part of the retrieved content as an instruction, and a downstream tool such as NL2SQL executes a query without an approval gate. Runtime exploitability depends on the application configuration and connected tools.

Findings we ruled out

  • Credential exposure flags that were standard Authorization header assignments, not credentials interpolated into prompts.
  • Recursive-spawning flags that appeared to be internal framework classes rather than confirmed runaway agent behavior.
  • Prompt-entrypoint flags where the framework intentionally passes task prompts to an LLM executor.

Recommended mitigations

  1. Validate, classify, or trust-label external content before it is written to a memory, RAG, or knowledge store.
  2. Run NL2SQL-style tools with restricted database roles, row-level security, schema limits, and query allowlists.
  3. Require confirmation gates before database, file, browser, email, admin, or MCP tool execution derived from retrieved memory or delegated agent context.
  4. Add tamper-evident execution records for tool calls, delegation, database queries, approvals, and state changes.

How TrustableClaw found this

TrustableClaw's AI Agent Scanner looks for agent-specific risk patterns across files, not just conventional code bugs. It maps where untrusted content crosses into prompt context, where prompt context can influence tool execution, and where high-risk actions lack approval or verifiable audit records.

View all security audits